Search form

Search form

Black Friday Deals On Malware & Scams

By:Chris Mannon

November 27, 2015

The holiday season means different things to a lot of people. For some, it’s a time for family and extravagant meals. For others, it’s a time for charity and giving more than your best to your partner. Yet for others still...it’s time to shop. Black Friday is once again upon us. That magical time of the year when we take to the high street or internet, hoping to find a good deal on that new device you’ve been window shopping for the last month. Users beware! There is more harm than good that can be done from clicking on what appears to be a good deal. During this time of the year, the internet runs amok with an increase of phishing and scam websites looking to exploit your consumer instincts.

The Zscaler ThreatLabZ team has been monitoring a subset of opt-in data to discover a correlation between shopping activity and scams. As an effect of increased shopping behavior, we've observed a steady number of scams clicked on by users. Scammers take notice of trending topics as well and us consumer’s impaired judgement to cast a wide net of phishing, fraud, and scam attacks meant to capitalize on the shopping season. Whether you are using a mobile device or your home PC, the uptick in shopping trends remains relevant.

As shown in the graphs, the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of scammers taking advantage of a consumers better judgement.

Vawtrak Botnet Scam

Our first case study illustrates the danger of these fraudulent deals. The botnet, Vawtrak (also known as NeverQuest and Snifula), is a powerful information stealing backdoor Trojan that has been gaining momentum over past few months. It primarily targets user's bank account via online banking websites. We’ve come across numerous reports, where users begin the infection cycle through spam e-mails promising a sales deal. This case appears to be no different, as we see the Pony Trojan Downloader being leveraged to download the Vawtrak payload.

salesdeal.magentochile[.]cl/f1.exe

VirusTotal has this threat marked as a fairly well known sample with a score of 32/55 at the time of research. Vawtrak is a treacherous botnet that is known to target the user’s saved banking credentials or even keylog for other passwords. Vawtrak achieves this by manipulating key Windows processes and lowering security settings to ensure that its Command and Control traffic can be reached.

Savvy users that suspect themselves to be afflicted with this threat should look for similar suspicious files:

C:\Users\[COMPUTERNAME]\AppData\Local\Temp\~DFECDDE19F2005BD31.TMP

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Kapag

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.exe

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Qucuz

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Sofolq

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Uoqet

C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\YidaLboz

The folder name in the ‘Local’ Directory will be named randomly. The fastest option to make sure you are targeting the right directory is to have a quick look at what programs are AutoStarting in the registry. In this instance, the following location was observed:

Upon successful manipulation of the Internet Settings, command and control attempts are made.

The threat responds with a list of locations to fetch configuration files as well as other malicious payloads. In the instance we observed, we received the keylogging Botnet, NetWired.

NetWired leaves two files actively running which beacon to suspicious destinations. These processes collect and exfiltrate stolen data to the threat actors.

The NetWired botnet communicates with the following server IPs from our research:

109[.]163[.]226[.]153

213[.]152[.]162[.]99

31[.]184[.]194[.]138

46[.]161[.]1[.]172

46[.]165[.]208[.]108

46[.]20[.]33[.]82

62[.]102[.]148[.]181

95[.]211[.]229[.]148

Free iPhone6 scams

Lots of scam sites are offering a free iPhone 6 to lure victims into click fraud attacks. Scam sites also ask for personal information like phone number, address, or e-mail address. Victims end up losing their personal information that can be further leveraged into future scams. The below screenshot shows scammers doing their best to make a site look like an official Apple site.

Some scams also ask for shipping fees to collect additional funds as well as sensitive information.

Scammers leverage brand names to provide an air of legitimacy to their scam websites. Some examples we have seen:

http[:]//apple[.]com[-]freegiveaway[.]com

http[:]//applestore[.]officialfreegiveway[.]com/

http[:]//facebook[.]officialfreegiveway[.]com/

http[:]//8sd5ug[.]getafreeiphone6splustoday[.]com/

http[:]//giveaways[.]xyz/iphone[-]giveaway/

http[:]//iphone6[.]howtogetafree[.]eu/

We recently covered a fake app offering early access to Amazon.com Black Friday and Cyber Monday offers and deals. With the rise in mobile device usage for browsing and shopping activities, we expect to see more and more instances of such fake applications with exciting offers targeting mobile users.

How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues through Christmas. The Zscaler ThreatLabZ team is working around the clock to ensure that our customers do not fall prey to such malicious activity.